Setting up cloud access rights
To grant a user access to cloud resources, assign the user a role for the cloud.
Assign a role for the cloud
- In the management console
, select a cloud. - Go to the Access bindings tab.
- Click Assign bindings.
- In the window that opens, select User accounts.
- Select a user from the list or search by user.
- Click
- Click Save.
-
View a description of the command to assign a role for a cloud:
yc resource-manager cloud add-access-binding --help
-
Get a list of available clouds:
yc resource-manager cloud list
Result:
+----------------------+----------+ | ID | NAME | +----------------------+----------+ | b1gg8sgd16g7******** | my-cloud | +----------------------+----------+
-
Get a list of available roles:
yc iam role list
Result:
+--------------------------------+-------------+ | ID | DESCRIPTION | +--------------------------------+-------------+ | admin | | | compute.images.user | | | editor | | | ... | | +--------------------------------+-------------+
-
Find out the user ID from the login or email address. To assign a role to a service account or system group instead of a user, see the examples below.
yc iam user-account get test-user
Result:
id: gfei8n54hmfh******** yandex_passport_user_account: login: test-user default_email: test-user@yandex.ru
-
Assign the
editor
role for themy-cloud
cloud to a user namedtest-user
. In the subject, specify theuserAccount
type and user ID:yc resource-manager cloud add-access-binding my-cloud \ --role editor \ --subject userAccount:<user_ID>
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Describe the properties of the cloud access rights in a configuration file:
cloud_id
: cloud ID. You can get a list of available clouds using the CLI command:yc resource-manager cloud list
.role
: Role to be assigned. You can get a list of roles using the CLI command:yc iam role list
. In oneyandex_resourcemanager_cloud_iam_member
resource, you can assign only one role.member
: User to assign the role to. Eachyandex_resourcemanager_cloud_iam_member
resource may have one of the following values:
*userAccount:<user_ID>
: User IDserviceAccount:<service_account_ID>
: Service account IDfederatedUser:<federated_account_ID>
: Federated account ID
Here is an example of the configuration file structure:
data "yandex_resourcemanager_cloud" "project1" { name = "Project 1" } resource "yandex_resourcemanager_cloud_iam_member" "editor" { cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}" role = "editor" member = "userAccount:<user_ID>" }
For more information about the
yandex_resourcemanager_cloud_iam_member
resource parameters in Terraform, see the provider documentation . -
In the command line, go to the directory where you created the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
The terminal displays a list of resources to be created and their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.After that access rights are granted for the cloud.
Use the updateAccessBindings REST API method for the Cloud resource or the CloudService/UpdateAccessBindings gRPC API call.
You will need the cloud ID and the ID of the user who is assigned the role for the cloud.
-
Find out the cloud ID using the list REST API method:
curl -H "Authorization: Bearer <IAM_token>" \ https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds
Result:
{ "clouds": [ { "id": "b1gg8sgd16g7********", "createdAt": "2018-09-23T12:14:45Z", "name": "cloud-b1gg8sgd16g7qc" } ] }
-
Find out the user ID by login using the getByLogin REST API method:
curl -H "Authorization: Bearer <IAM_token>" \ https://iam.api.cloud.yandex.net/iam/v1/yandexPassportUserAccounts:byLogin?login=test-user
Result:
{ "id": "gfei8n54hmfh********", "yandexPassportUserAccount": { "login": "test-user", "defaultEmail": "test-user@yandex.ru" } }
-
Assign the user the
editor
role for themy-cloud
cloud. Set theaction
property toADD
and specify theuserAccount
type and user ID in thesubject
property:curl -X POST \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer <IAM_token>" \ -d '{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "<user_ID>", "type": "userAccount" }}}]}' \ https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7********:updateAccessBindings
Assign multiple roles
- In the management console
, select a cloud. - Click the Access bindings tab.
- Click Assign bindings.
- In the Configure access bindings window, click Select user.
- Select a user from the list or search for a user.
- Click Add role.
- Select a role in the cloud.
- Use the Add role button to add another role.
- Click Save.
The add-access-binding
command allows you to add only one role. You can assign multiple roles using the set-access-binding
command.
Alert
The set-access-binding
command completely rewrites the access rights to the resource. All current resource roles will be deleted.
-
Make sure the resource has no roles assigned that you would rather not lose:
yc resource-manager cloud list-access-binding my-cloud
-
For example, assign a role to multiple users:
yc resource-manager cloud set-access-bindings my-cloud \ --access-binding role=editor,subject=userAccount:<first_user_ID> --access-binding role=viewer,subject=userAccount:<second_user_ID>
yc resource-manager cloud set-access-bindings my-cloud \ --access-binding role=editor,subject=federatedUser:<first_user_ID> --access-binding role=viewer,subject=federatedUser:<second_user_ID>
-
Describe the properties of the cloud access rights in a configuration file. Assign the
editor
role to one user and theviewer
role to another user:data "yandex_resourcemanager_cloud" "project1" { name = "Project 1" } resource "yandex_resourcemanager_cloud_iam_member" "editor" { cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}" role = "editor" member = "userAccount:<first_user_ID>" } resource "yandex_resourcemanager_cloud_iam_member" "viewer" { cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}" role = "viewer" member = "userAccount:<second user ID>" }
-
In the command line, go to the directory where you created the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
The terminal displays a list of resources to be created and their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.After that access rights are granted for the cloud.
Assign the editor
role to one user and the viewer
role to another user:
curl -X POST \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer <IAM_token>" \
-d '{
"accessBindingDeltas": [{
"action": "ADD",
"accessBinding": {
"roleId": "editor",
"subject": {
"id": "<first_user_ID>",
"type": "userAccount"
}
}
},{
"action": "ADD",
"accessBinding": {
"roleId": "viewer",
"subject": {
"id": "<second_user_ID>",
"type": "userAccount"
}}}]}' \
https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7********:updateAccessBindings
You can also assign roles using the setAccessBindings REST API method for the Cloud resource or the CloudService/SetAccessBindings gRPC API call.
Alert
The setAccessBindings
method completely rewrites the access rights to the resource! All current resource roles will be deleted.
curl -X POST \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer <IAM_token>" \
-d '{
"accessBindings": [{
"roleId": "editor",
"subject": { "id": "<first_user_ID>", "type": "userAccount" }
},{
"roleId": "viewer",
"subject": { "id": "<second_user_ID>", "type": "userAccount" }
}]}' \
https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7********:setAccessBindings
Cloud access for service accounts
A service account can be assigned roles for any cloud and folder within the organization it belongs to.
Allow the test-sa
service account to manage the my-cloud
cloud and its resources:
You assign roles to a service account the same way as to a user account.
To assign a service account a role for a cloud:
- In the management console
, select a cloud. - Go to the Access bindings tab.
- Click Assign bindings.
- In the Configure permissions window, click
- Go to the
Service accounts
section. - Select a service account from the list or use the search.
- Click
- Choose the role.
- Click Save.
-
Find out the ID of the
test-sa
service account that you want to assign the role to. To do this, get a list of available service accounts:yc iam service-account list
Result:
+----------------------+----------+------------------+ | ID | NAME | DESCRIPTION | +----------------------+----------+------------------+ | ajebqtreob2d******** | test-sa | test-description | +----------------------+----------+------------------+
-
Assign the
editor
role to thetest-sa
service account by specifying its ID. In the subject type, specifyserviceAccount
:yc resource-manager cloud add-access-binding my-cloud \ --role editor \ --subject serviceAccount:<service_account_ID>
-
Assign the
editor
role to a service account.data "yandex_resourcemanager_cloud" "project1" { name = "Project 1" } resource "yandex_resourcemanager_cloud_iam_member" "editor" { cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}" role = "editor" member = "serviceAccount:<service_account_ID>" }
-
In the command line, go to the directory where you created the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
The terminal displays a list of resources to be created and their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.After that access rights are granted for the cloud.
-
Find out the ID of the
test-sa
service account that you want to assign the role to. To do this, get a list of available service accounts:curl -H "Authorization: Bearer <IAM_token>" \ https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=b1gvmob95yys********
Result:
{ "serviceAccounts": [ { "id": "ajebqtreob2d********", "folderId": "b1gvmob95yys********", "createdAt": "2018-10-18T13:42:40Z", "name": "test-sa", "description": "test-description" } ] }
-
Assign the
editor
role for themy-cloud
cloud to thetest-sa
service account. In thesubject
property, specify theserviceAccount
type and thetest-sa
ID. In the request URL, specify themy-cloud
ID:curl -X POST \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer <IAM_token>" \ -d '{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "<service_account_ID>", "type": "serviceAccount" }}}]}' \ https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7********:updateAccessBindings
Access to a resource for all users
You can grant public access to a resource. To do this, assign a role to the system group allAuthenticatedUsers
or allUsers
.
You can assign any role to the system group, except resource-manager.clouds.owner
and resource-manager.clouds.member
.
Alert
Do not assign a system group the editor
or admin
role for a catalog or cloud. Otherwise, anyone who knows the folder ID can use Yandex Cloud at your expense.
For instance, allow any authenticated user to view information about the my-cloud
cloud:
- In the management console
, select a cloud. - Go to the Access bindings tab.
- Click Assign bindings.
- In the Configure permissions window, click Select subject.
- Go to the
Groups
section. - Select the
All authenticated users
group. - Click Add role.
- Select the
resource-manager.viewer
role. - Click Save.
Assign the viewer
role to the allAuthenticatedUsers
system group. In the subject type, specify system
:
yc resource-manager cloud add-access-binding my-cloud \
--role viewer \
--subject system:allAuthenticatedUsers
-
Assign the
viewer
role to theallAuthenticatedUsers
system group:data "yandex_resourcemanager_cloud" "project1" { name = "Project 1" } resource "yandex_resourcemanager_cloud_iam_member" "viewer" { cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}" role = "viewer" member = "system:allAuthenticatedUsers" }
-
In the command line, go to the directory where you created the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
The terminal displays a list of resources to be created and their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.After that access rights are granted for the cloud.
Assign the viewer
role to the allAuthenticatedUsers
system group. In the subject
property, specify the system
type:
curl -X POST \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer <IAM_token>" \
-d '{
"accessBindingDeltas": [{
"action": "ADD",
"accessBinding": {
"roleId": "viewer",
"subject": {
"id": "allAuthenticatedUsers",
"type": "system"
}}}]}' \
https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7********:updateAccessBindings